Skip to content

Commit

Permalink
Merge pull request #9 from weaveworks/ghcr-bot-PAT
Browse files Browse the repository at this point in the history 
Use GHCR bot PAT for package creation
  • Loading branch information
@souleb
souleb committed Sep 26, 2023
2 parents ca062e7 + 85a827b commit 31755ef
Show file tree
Hide file tree
Showing 5 changed files with 221 additions and 248 deletions.
14 changes: 9 additions & 5 deletions .github/workflows/controller_release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
version:
required: true
type: string
secrets:
ghcrToken:
required: true
outputs:
image_url:
value: ${{ jobs.release-controller.outputs.image_url }}
Expand All @@ -22,6 +25,7 @@ jobs:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
packages: write
steps:
- name: Checkout
Expand All @@ -43,8 +47,8 @@ jobs:
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
username: weave-ghcr-bot
password: ${{ secrets.ghcrToken }}
- name: Clone and patch repo
id: patch
run: |
Expand All @@ -60,8 +64,8 @@ jobs:
fi
bash -x ./scripts/patch_repo.sh "https://github.com/fluxcd/${{ inputs.controller }}.git" ${{ inputs.controller }} ${BASE_VERSION}
unlink patches-flux
echo ::set-output name=version::${VERSION}
echo ::set-output name=base_version::${BASE_VERSION}
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "base_version=${BASE_VERSION}" >> $GITHUB_OUTPUT
- name: Generate images meta
id: meta
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
Expand Down Expand Up @@ -94,7 +98,7 @@ jobs:
mkdir -p config/release
sed -i "s/${{ steps.patch.outputs.base_version }}/${{ steps.patch.outputs.version }}/g" ./${{ inputs.controller }}/config/manager/kustomization.yaml
kustomize build ./${{ inputs.controller }}/config/crd > ./config/release/${{ inputs.controller }}.crds.yaml
kustomize build ./${{ inputs.controller }}/config/manager > ./config/release/${{ inputs.controller}}deployment.yaml
kustomize build ./${{ inputs.controller }}/config/manager > ./config/release/${{ inputs.controller}}.deployment.yaml
- name: Upload release artifacts
uses: actions/upload-artifact@v3
with:
Expand Down
147 changes: 117 additions & 30 deletions .github/workflows/release_v21.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,18 @@ on:
- .github/workflows/release_v21.yaml
- .github/workflows/controller_release.yaml

permissions:
contents: write
id-token: write
packages: write

jobs:
release-source-controller:
permissions:
contents: read
id-token: write
packages: write
uses: ./.github/workflows/controller_release.yaml
with:
controller: source-controller
version: v21
secrets:
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

sc-ghcr-provenance:
needs: [release-source-controller]
Expand All @@ -33,15 +34,22 @@ jobs:
with:
image: ghcr.io/${{ needs.release-source-controller.outputs.image_url }}
digest: ${{ needs.release-source-controller.outputs.image_digest }}
registry-username: ${{ github.actor }}
registry-username: weave-ghcr-bot
private-repository: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

release-kustomize-controller:
permissions:
contents: read
id-token: write
packages: write
uses: ./.github/workflows/controller_release.yaml
with:
controller: kustomize-controller
version: v21
secrets:
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

kc-ghcr-provenance:
needs: [release-kustomize-controller]
Expand All @@ -54,15 +62,22 @@ jobs:
with:
image: ghcr.io/${{ needs.release-kustomize-controller.outputs.image_url }}
digest: ${{ needs.release-kustomize-controller.outputs.image_digest }}
registry-username: ${{ github.actor }}
registry-username: weave-ghcr-bot
private-repository: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

release-helm-controller:
permissions:
contents: read
id-token: write
packages: write
uses: ./.github/workflows/controller_release.yaml
with:
controller: helm-controller
version: v21
secrets:
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

hc-ghcr-provenance:
needs: [release-helm-controller]
Expand All @@ -75,15 +90,22 @@ jobs:
with:
image: ghcr.io/${{ needs.release-helm-controller.outputs.image_url }}
digest: ${{ needs.release-helm-controller.outputs.image_digest }}
registry-username: ${{ github.actor }}
registry-username: weave-ghcr-bot
private-repository: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

release-image-reflector-controller:
permissions:
contents: read
id-token: write
packages: write
uses: ./.github/workflows/controller_release.yaml
with:
controller: image-reflector-controller
version: v21
secrets:
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

irc-ghcr-provenance:
needs: [release-image-reflector-controller]
Expand All @@ -96,15 +118,22 @@ jobs:
with:
image: ghcr.io/${{ needs.release-image-reflector-controller.outputs.image_url }}
digest: ${{ needs.release-image-reflector-controller.outputs.image_digest }}
registry-username: ${{ github.actor }}
registry-username: weave-ghcr-bot
private-repository: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

release-image-automation-controller:
permissions:
contents: read
id-token: write
packages: write
uses: ./.github/workflows/controller_release.yaml
with:
controller: image-automation-controller
version: v21
secrets:
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

iac-ghcr-provenance:
needs: [release-image-automation-controller]
Expand All @@ -117,15 +146,22 @@ jobs:
with:
image: ghcr.io/${{ needs.release-image-automation-controller.outputs.image_url }}
digest: ${{ needs.release-image-automation-controller.outputs.image_digest }}
registry-username: ${{ github.actor }}
registry-username: weave-ghcr-bot
private-repository: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

release-notification-controller:
permissions:
contents: read
id-token: write
packages: write
uses: ./.github/workflows/controller_release.yaml
with:
controller: notification-controller
version: v21
secrets:
ghcrToken: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

nc-ghcr-provenance:
needs: [release-notification-controller]
Expand All @@ -138,9 +174,10 @@ jobs:
with:
image: ghcr.io/${{ needs.release-notification-controller.outputs.image_url }}
digest: ${{ needs.release-notification-controller.outputs.image_digest }}
registry-username: ${{ github.actor }}
registry-username: weave-ghcr-bot
private-repository: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}

release-flux-cli:
outputs:
Expand Down Expand Up @@ -182,8 +219,8 @@ jobs:
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
username: weave-ghcr-bot
password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}
- name: Clone and patch repo
id: patch
run: |
Expand All @@ -197,16 +234,43 @@ jobs:
fi
bash -x ./scripts/patch_repo.sh "https://github.com/fluxcd/flux2.git" flux2 ${FLUX2_BASE_VERSION}
unlink patches-flux
echo ::set-output name=version::${VERSION}
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Download all controllers release artifacts
uses: actions/download-artifact@v3
with:
path: ./flux2
- name: Place yamls in the right place
run: |
# source-controller yamls
cp -p ./flux2/source-controller/source-controller.crds.yaml ./flux2/manifests/bases/source-controller/
cp -p ./flux2/source-controller/source-controller.crds.yaml ./flux2/manifests/crds/
cp -p ./flux2/source-controller/source-controller.deployment.yaml ./flux2/manifests/bases/source-controller/
# kustomize-controller yamls
cp -p ./flux2/kustomize-controller/kustomize-controller.crds.yaml ./flux2/manifests/bases/kustomize-controller/
cp -p ./flux2/kustomize-controller/kustomize-controller.crds.yaml ./flux2/manifests/crds/
cp -p ./flux2/kustomize-controller/kustomize-controller.deployment.yaml ./flux2/manifests/bases/kustomize-controller/
# helm-controller yamls
cp -p ./flux2/helm-controller/helm-controller.crds.yaml ./flux2/manifests/bases/helm-controller/
cp -p ./flux2/helm-controller/helm-controller.crds.yaml ./flux2/manifests/crds/
cp -p ./flux2/helm-controller/helm-controller.deployment.yaml ./flux2/manifests/bases/helm-controller/
# image-reflector-controller yamls
cp -p ./flux2/image-reflector-controller/image-reflector-controller.crds.yaml ./flux2/manifests/bases/image-reflector-controller/
cp -p ./flux2/image-reflector-controller/image-reflector-controller.crds.yaml ./flux2/manifests/crds/
cp -p ./flux2/image-reflector-controller/image-reflector-controller.deployment.yaml ./flux2/manifests/bases/image-reflector-controller/
# image-automation-controller yamls
cp -p ./flux2/image-automation-controller/image-automation-controller.crds.yaml ./flux2/manifests/bases/image-automation-controller/
cp -p ./flux2/image-automation-controller/image-automation-controller.crds.yaml ./flux2/manifests/crds/
cp -p ./flux2/image-automation-controller/image-automation-controller.deployment.yaml ./flux2/manifests/bases/image-automation-controller/
# notification-controller yamls
cp -p ./flux2/notification-controller/notification-controller.crds.yaml ./flux2/manifests/bases/notification-controller/
cp -p ./flux2/notification-controller/notification-controller.crds.yaml ./flux2/manifests/crds/
cp -p ./flux2/notification-controller/notification-controller.deployment.yaml ./flux2/manifests/bases/notification-controller/
- name: Generate manifests
run: |
make ./flux2/cmd/flux/.manifests.done
./flux2/manifests/scripts/bundle.sh "" ./output manifests.tar.gz
kustomize build .flux2/manifests/install > ./output/install.yaml
cd ./flux2
make cmd/flux/.manifests.done
./manifests/scripts/bundle.sh "" ../output manifests.tar.gz
kustomize build ./manifests/install > ../output/install.yaml
- name: Build CRDs
run: |
kustomize build ./flux2/manifests/crds > all-crds.yaml
Expand All @@ -226,7 +290,7 @@ jobs:
version: latest
args: release --clean --skip-validate
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
- name: Generate SLSA metadata
id: slsa
Expand All @@ -251,11 +315,32 @@ jobs:
id-token: write
packages: write
steps:
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Checkout
uses: actions/checkout@v2
- name: Setup Kustomize
uses: fluxcd/pkg/actions/kustomize@main
- name: install stgit
shell: bash
run: |
sudo apt-get install -y stgit
git config --global user.name "Soule BA"
git config --global user.email "[email protected]"
- name: Clone and patch repo
id: patch
run: |
ln -s patches-flux-v21 patches-flux
rm -rf flux2 || true
source ./patches-flux/VERSION
if [[ "$FLUX2_SUFFIX_VERSION" =~ ^wa[.][0-9]+$ ]]; then
VERSION=${FLUX2_BASE_VERSION}-${FLUX2_SUFFIX_VERSION}
else
VERSION=${FLUX2_BASE_VERSION}-wa
fi
bash -x ./scripts/patch_repo.sh "https://github.com/fluxcd/flux2.git" flux2 ${FLUX2_BASE_VERSION}
unlink patches-flux
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Setup Flux CLI
uses: ./action/
uses: ./flux2/action/
- name: Prepare
id: prep
run: |
Expand All @@ -265,8 +350,8 @@ jobs:
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
username: weave-ghcr-bot
password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}
- name: Push manifests to GHCR
run: |
mkdir -p ./ghcr.io/flux-system
Expand Down Expand Up @@ -301,6 +386,7 @@ jobs:
provenance-name: "provenance.intoto.jsonl"
base64-subjects: "${{ needs.release-flux-cli.outputs.hashes }}"
upload-assets: true
private-repository: true

ghcr-provenance:
needs: [release-flux-cli]
Expand All @@ -312,6 +398,7 @@ jobs:
with:
image: ghcr.io/${{ needs.release-flux-cli.outputs.image_url }}
digest: ${{ needs.release-flux-cli.outputs.image_digest }}
registry-username: ${{ github.actor }}
registry-username: weave-ghcr-bot
private-repository: true
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
registry-password: ${{ secrets.WEAVE_ASSURED_GHCR_BOT_TOKEN }}
12 changes: 6 additions & 6 deletions .goreleaser.yml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
project_name: weave-assured-flux
project_name: flux
builds:
- <<: &build_defaults
binary: flux
main: ./flux2/cmd/flux
main: ./cmd/flux
dir: ./flux2
ldflags:
- -s -w -X main.VERSION={{ .Version }}
env:
Expand Down Expand Up @@ -53,7 +54,6 @@ release:
- glob: output/crd-schemas.tar.gz
- glob: output/manifests.tar.gz
- glob: output/install.yaml
prerelease: "auto"

changelog:
skip: true
Expand All @@ -79,7 +79,7 @@ signs:
dockers:
- image_templates:
- 'ghcr.io/weaveworks/flux-cli:{{ .Tag }}-amd64'
dockerfile: Dockerfile
dockerfile: ./flux2/Dockerfile
use: buildx
goos: linux
goarch: amd64
Expand All @@ -94,7 +94,7 @@ dockers:
- "--platform=linux/amd64"
- image_templates:
- 'ghcr.io/weaveworks/flux-cli:{{ .Tag }}-arm64'
dockerfile: Dockerfile
dockerfile: ./flux2/Dockerfile
use: buildx
goos: linux
goarch: arm64
Expand All @@ -109,7 +109,7 @@ dockers:
- "--platform=linux/arm64"
- image_templates:
- 'ghcr.io/weaveworks/flux-cli:{{ .Tag }}-arm'
dockerfile: Dockerfile
dockerfile: ./flux2/Dockerfile
use: buildx
goos: linux
goarch: arm
Expand Down
Loading

0 comments on commit 31755ef

Please sign in to comment.